IPsec

• H

  One way traffic over IPSec tunnel
  • hienmai

  20
  0
  Votes
  20
  Posts
  496
  Views

  H

  @Derelict Here is the configuration on pfSense 2 And the route installed when IPSec tunnel established:
• T

  IPSec tunnels drop during P1 Rekey version 2.4.3-RELEASE-p1
  • tuscany22

  5
  0
  Votes
  5
  Posts
  230
  Views

  

  Awesome. Please post back if you see continuing issues.
• L

  More than one Moblie IPSEC client from same Public IP
  • luispereira

  6
  0
  Votes
  6
  Posts
  127
  Views

  L

  I tried somethings but the L2TP never worked on a second client in same remote site (same Public IP)... I see the IPSEC connexion but I'm rejected, seems in L2TP...
• D

  IPSec Causes Local Routing Issues
  • david_halliday

  3
  0
  Votes
  3
  Posts
  168
  Views

  D

  Ah, should have thought about LAN bypass. Oh well. In the end I went and renumbered everything out of 10.40/16 and into another Class C 192.168.201.0/24. I am looking forward to 2.4.4. however, routed IPSEC sounds like the real solution. This is how the Juniper SRX on the other end handled things. Creates and extra interface and you simply route down that interface. Thanks again for the input it is appreciated.
• H

  IPSec bypass-lan does not work / plugin missing
  • hege

  4
  0
  Votes
  4
  Posts
  235
  Views

  

  I don't recall the history there specifically. I'm not familiar with that plugin myself. In the past, however, there were a number of strongSwan plugins that were not supported on FreeBSD or did not work properly there. It would not surprise me to find that was the case here, or that SPDs behaved in a more consistent and predictable manner.
• C

  Does pfSense need interface with IP that matches IPsec tunnel traffic
  • coreybrett

  5
  0
  Votes
  5
  Posts
  175
  Views

  C

  So this worked brilliantly! Thank you so much.
• K

  Routing over ipsec VPN
  • kapara

  2
  0
  Votes
  2
  Posts
  142
  Views

  

  Try OpenVPN for B-C, it runs pure UDP or TCP, so can work when the provider is blocking other protocols. You should be able to add the C subnet to the B-A phase2 and vise versa.
• Z

  Route specific IP Range via IPSEC VPN.
  • zMaliz

  2
  0
  Votes
  2
  Posts
  96
  Views

  

  You need to add Phase 2 entries to cover the traffic between 192.168.16.X and 10.0.0.X. Those need to be on both tunnels. Steve
• I

  ipsec fixed ip based on username
  • ivarh

  1
  0
  Votes
  1
  Posts
  116
  Views

  No one has replied

• P

  Pfsense 2.4.x to USG ipsec issues
  • pfsenseuser1

  2
  0
  Votes
  2
  Posts
  199
  Views

  P

  https://www.synology.com/en-us/knowledgebase/SRM/tutorial/VPN/How_to_set_up_Site_to_Site_VPN_between_Synology_Router_and_UniFi_SG Based on the article above, the settings below seem to be stable on both sides so far Phase 1: Encryption: AES128 Authentication: SHA1 Key life: 14400 DH Group: 14 (modp 2048) DPD (Dead Peer Detection): disable Phase 2: Encryption: AES128 Authentication: SHA1 Key life: 14400 DH Group: 14 (modp 2048) The only thing on the USG side is selecting Enable Perfect Forward Secrecy (PFS) checkbox. Update Been up for 19 hours solid
• N

  How to set up l2tp/ipsec VPN?
  • nicolaj

  2
  0
  Votes
  2
  Posts
  164
  Views

  N

  I noticed how the official guide says "Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, Windows clients will most likely not function. Consider an IKEv2 implementation instead." Wouldn't that almost always be the case, aren't the vast majority of home networks running nat by default? But doesn't look like a better option, as the guide mentions that mobile clients needs to download a third part vpn app. And you need to transfer ca files between clients.
• 

  IPSec tunnel: Cannot open remote webconsole.
  • Herman

  5
  0
  Votes
  5
  Posts
  204
  Views

  

  Good day Folks, Walked everything through again to figure out what’s going wrong here. The remote subnet is 10.230.248.0/21. When I calculate this, the amount of host will be 2046. The host range will be 10.230.248.1 till 10.230.255.254. Correct me if I am wrong but 10.230.252.125 should be reachable as well, right? Very strange that I can ping and reach 10.230.252.114 but not 10.230.252.125? Again, when I am at work, 10.230.252.125 van be pinged and the webhost is reachable correctly. Does this make sense to anybody? Kind regard, Herman F.
• M

  IPSEC to AWS not routing traffic
  • mkipp

  2
  0
  Votes
  2
  Posts
  322
  Views

  J

  Having a similar situation and wondering if you every resolved this, can't find much of any response or help for the issue on this forum. Established tunnel without issue to the AWS hosted PFSense from a sonic wall. Can watch the inbound pings hit the system but no progress from their or response.
• S

  IPSEC tunnel issues to a Cisco RV320
  • stevetoza

  10
  0
  Votes
  10
  Posts
  570
  Views

  C

  @stevetoza Off-Topic but here goes. We've experienced all sorts of things with the Cisco RV325 series. Stability however isn’t one of them when running several heavy traffic IPSec tunnels. We swapped out our RV320/325's for virtual pfSense appliances. After a lengthy support thread with a very helpful Cisco support guy they swapped all our units for the new RV340 which is a significantly better hardware platform but since we've been bitten quite a few times by RV320's just going dark on us we now use them as expensive switches. SNMP showed that each time they went offline it was because of pure memory starvation. An RV325 unit with 5 IPSec tunnels and a bunch of local attached stuff would keep running for max 2-3 weeks and then would slowly die, first the web-console would stop responding (and it's already painstakingly slow) and a few hours later all the IPSec tunnels would become unresponsive. There's no automation for these boxes and we don't have managed PDU's so instead of driving to the site location to switch them literally off & back on I rolled some selenium GUI manipulation to power-cycle them every week like that. Seriously. Also had to power cycle twice because sometimes the first reboot wouldn't bring up the IPSec tunnels and when that happened they would never become active, only a secondary reboot would fix that. Seeing your print screen of the web-console throws me back to a lonely, dark and painful place ;)
• E

  IPSEC one user, multiple connections
  ipsec vpn mobil • • epouliot

  3
  0
  Votes
  3
  Posts
  148
  Views

  E

  That's it! Thank you so much!
• M

  l2tp/ipsec force client to use pre-sharedkey
  • matteo77

  2
  0
  Votes
  2
  Posts
  113
  Views

  

  Your going to have to give us a bit more to go on vs just saying you have setup l2tp/ipsec.. https://www.netgate.com/docs/pfsense/book/l2tp/l2tp-with-ipsec.html What client are you using?
• O

  is it possible to implement redundant IPSec tunnels over 2 different WAN connections?
  • opticalc

  3
  0
  Votes
  3
  Posts
  228
  Views

  R

  Hi I've done such a setup with two PFSenses. each has a seperate WAN Provider. The other site is a single HA Vmware NSX Edge Firewall. I made a scripts which checks the WAN Connection. If the internet fails, the script will switches to the backup PFSense and start there the VPN Tunnel. There is nothing much you can do else. I'm also waiting for VTI Tunnel Support on 2.4.4
• A

  IPsec connection 'partially' blocked
  • awair

  1
  0
  Votes
  1
  Posts
  125
  Views

  No one has replied

• F

  PFSense IPSec with phase 2 remote subnet overlaps local subnet.
  • Fenx42

  4
  0
  Votes
  4
  Posts
  230
  Views

  F

  Ahh.. Got it. But I have 7 interfaces LAN I have to apply this to, not just one. In the pfSense website, I found Bug 5826 that describes the problem I'm having. https://redmine.pfsense.org/issues/5826 . I'll do some research to see if I get into the strongSwan config if I might be able to do this for multiple interfaces manually. Thanks again for the help. I never noticed the Auto-exclude LAN address feature in IPSec.
• E

  Configure AWS Pfsense instance to failover IPsec to another instance
  • erosalesMBGE

  1
  0
  Votes
  1
  Posts
  143
  Views

  No one has replied

• L

  L2TP closes connection for unknown reason
  • lifeboy

  11
  0
  Votes
  11
  Posts
  415
  Views

  L

  I have sort of bypassed my problem by downgrading my mikrotik routeros version, but of course that opens me up to possible exploits with may have been fixed since. I have not considered that client connecting/disconnecting could be causing this though, so I will careful note what happens next time I have a disconnect.
• M

  Is there any limit on maximum number of ipsec tunnels
  • manishchawla2017

  3
  0
  Votes
  3
  Posts
  757
  Views

  A

  Hello I've 50 phase 1 and 150 phase 2 on my pfsense server (hp G8). CPU Type Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz 8 CPUs: 2 package(s) x 4 core(s) AES-NI CPU Crypto: Yes (active) Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM The last tunnel I created is causing trouble. Phases 1 and 2 UP from time to time and when they are UP, I have no traffic passed. I tested this vpn on a virtual machine pfsense and everything is OK. I wonder if I'm reaching a tunnel limit. If yes, how to properly modify the ikesa_table_size value to 1024 so that it is taken into account in case of reboot / upgrade? Thank you for your help.
• A

  Supposed General IPSec Vulnerability - Does it affect us?
  • asiTechsupport

  6
  0
  Votes
  6
  Posts
  576
  Views

  

  Since CERT has now also made the details of this issue public, I made our Redmine issue for it public: https://redmine.pfsense.org/issues/8667
• O

  Site to Site IPSec VPN over AT&T Wireless
  • oggsct

  3
  0
  Votes
  3
  Posts
  226
  Views

  O

  I have removed the check for Disable rekey. Should I be setting a margintime? I am using distinquished name for the identifiers as that is what I have commonly used in similar setups. While the error continues to point to a PSK mismatch, the keys match, I have copied the key from one configuration page to the other. Here are some more logs following the changes Aug 16 08:56:31 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 3744141107 processing failed Aug 16 08:56:31 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:31 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:31 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:31 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:31 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:30 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:30 charon 12[IKE] <con1000|2> sending retransmit 2 of request message ID 0, seq 3 Aug 16 08:56:23 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 468255107 processing failed Aug 16 08:56:23 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:23 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:23 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:23 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:23 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:23 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:23 charon 12[IKE] <con1000|2> sending retransmit 1 of request message ID 0, seq 3 Aug 16 08:56:19 charon 10[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 2140660544 processing failed Aug 16 08:56:19 charon 10[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:19 charon 10[IKE] <con1000|2> message parsing failed Aug 16 08:56:19 charon 10[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:19 charon 10[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> local host is behind NAT, sending keep alives Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (396 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (396 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> received NAT-T (RFC 3947) vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received FRAGMENTATION vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received DPD vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received XAuth vendor ID Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ SA V V V V ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (160 bytes) Aug 16 08:56:18 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (180 bytes) Aug 16 08:56:18 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ SA V V V V V ] Aug 16 08:56:18 charon 10[IKE] <con1000|2> initiating Main Mode IKE_SA con1000[2] to 50.X.X.149 Aug 16 08:56:18 charon 12[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:52:53 charon 12[IKE] <con1000|1> establishing IKE_SA failed, peer not responding Aug 16 08:52:53 charon 12[IKE] <con1000|1> giving up after 5 retransmits Aug 16 08:52:06 charon 07[CFG] ignoring acquire, connection attempt pending Aug 16 08:52:06 charon 05[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:41 charon 16[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:40 ipsec_starter 62014 'con1000' routed Aug 16 08:51:40 charon 14[CFG] received stroke: route 'con1000' Aug 16 08:51:40 charon 16[CFG] added configuration 'con1000' Aug 16 08:51:40 charon 16[CFG] received stroke: add connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 'bypasslan' shunt PASS policy installed Aug 16 08:51:40 charon 13[CFG] received stroke: route 'bypasslan' Aug 16 08:51:40 charon 14[CFG] added configuration 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: add connection 'bypasslan' Aug 16 08:51:40 charon 15[CFG] deleted connection 'con1000' Aug 16 08:51:40 charon 15[CFG] received stroke: delete connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 configuration 'con1000' unrouted Aug 16 08:51:40 charon 13[CFG] received stroke: unroute 'con1000' Aug 16 08:51:40 charon 14[CFG] deleted connection 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: delete connection 'bypasslan' Aug 16 08:51:40 ipsec_starter 62014 shunt policy 'bypasslan' uninstalled Aug 16 08:51:40 charon 15[CFG] received stroke: unroute 'bypasslan' Aug 16 08:51:40 charon 13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Aug 16 08:51:40 charon 13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Aug 16 08:51:40 charon 13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Aug 16 08:51:40 charon 13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Aug 16 08:51:40 charon 13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Aug 16 08:51:40 charon 13[CFG] loaded IKE secret for %any @sitea.sitea-to-siteb Aug 16 08:51:40 charon 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Aug 16 08:51:40 charon 13[CFG] rereading secrets Aug 16 08:51:37 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:51:37 charon 08[IKE] <con1000|1> sending retransmit 5 of request message ID 0, seq 3 Aug 16 08:50:55 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:55 charon 08[IKE] <con1000|1> sending retransmit 4 of request message ID 0, seq 3 Aug 16 08:50:32 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2027756021 processing failed Aug 16 08:50:32 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:32 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:32 charon 08[ENC] <con1000|1> could not decrypt payloads Aug 16 08:50:32 charon 08[ENC] <con1000|1> invalid HASH_V1 payload length, decryption failed? Aug 16 08:50:32 charon 08[NET] <con1000|1> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:50:32 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:32 charon 08[IKE] <con1000|1> sending retransmit 3 of request message ID 0, seq 3 Aug 16 08:50:19 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2405277567 processing failed Aug 16 08:50:19 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:19 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:19 charon 08[ENC] <con1000|1> could not decrypt payloads
• C

  IPSec Site to site VPN
  • clinx

  2
  0
  Votes
  2
  Posts
  243
  Views

  

  You are going to have to do what you need to do on those upstream devices to make it work, it sounds like. If they can do some sort of PPPoE pass through so pfSense itself is the PPPoE client you will probably be happier. If not, the first thing I would check is that IPsec on both sides is set to use the public IP address as the identifier. If you just set My IP Address as My Identifier on the left side and connect to 124.107.X.X, and they are configured to expect 180.190.y.y as the identifier, it won't work. If you configure the left side to be My Identifier: IP Address: 180.190.y.y it might work. If those PPPoE addresses are not static (you get the same assignment every time), but dynamic (they change), you will probably have to move to setting the IDs on both sides to a distinguished name set to a dynamic DNS name that change with the PPPoE address. PPPoE pass through on the ISP devices is probably the easiest thing.
• T

  Firewall > Rules > IPsec tab does not exist
  • theos

  3
  0
  Votes
  3
  Posts
  158
  Views

  T

  It works now - either from updating pfSense to 2.4.x or ensuring that both P1 and P2 are enabled (I thought they were to begin with).
• N

  Second IPSec issues / IPSec redundancy queries
  • nilarionov

  3
  0
  Votes
  3
  Posts
  223
  Views

  

  Is secondary peer supported on the PFSense? How does the PFSense react on two tunnels with the same phase 2 entires - while one of them is disabled and the other one is active? What would be a best practice and/or recommendation to run IPSec redundancy? Is route based VPN supported on the device? If so, any particular notes on NATs/Rules? 1- No. You can use a dynamic hostname, but that's another discussion. 2- Not sure what your issue is, I have used disabled tunnels at several sites. Just disable the primary on both sites, clear any active sessions, and enable the secondary on both sides. 3- Skipping this, it varies based on situation. 4- See the release notes for the upcoming 2.4.4 release for routed IPSec.
• C

  Force DNS server
  dns ipsec splittunnel • • chris2017

  3
  0
  Votes
  3
  Posts
  252
  Views

  C

  Changed the client's metric. Ethernet > VPN.
• J

  IPSec Tunnel down all of a sudden with no changes. Can access both ends.
  • JimPhreak

  2
  0
  Votes
  2
  Posts
  150
  Views

  J

  So turns out that the SITE1 IP address changed last night. Even though I'm using Dynamic DNS on both ends and both ends recognized the change, the tunnel would not reconnect until a reboot which has now fixed the issue. Weird one.
• N

  OpenVPN + IPSec tunnels
  • newcmelgar

  1
  0
  Votes
  1
  Posts
  119
  Views

  No one has replied

• A

  ipsec site to site with DMZ in one site and ppoe in the other
  • archi989

  1
  0
  Votes
  1
  Posts
  123
  Views

  No one has replied

• J

  Traffic over 2 VPN
  • jschulz

  2
  0
  Votes
  2
  Posts
  143
  Views

  

  You need to add Phase 2 entries to your existing tunnels to carry that traffic. On the tunnel from 1-2: Phase 2 for 1-2 Phase 2 for 3-2 On the tunnel from 1-3: Phase 2 for 1-3 Phase 2 for 2-3 And then on the other end of each tunnel, reverse the local/remote as usual. Make sure all of those are allowed in firewall rules as well.
• E

  Cannot establish IPSEC tunnel using double pfSense inner and outer firewalls on each side
  • epicitsupport

  3
  0
  Votes
  3
  Posts
  201
  Views

  C

  Is this already fixed? I think we are having same issue. How did you fixed it?
• E

  IPSec bandwidth between two sites cycles between high and low
  • ensnare

  1
  0
  Votes
  1
  Posts
  111
  Views

  No one has replied

• A

  IPSec Routing stops working??
  • al_no

  4
  1
  Votes
  4
  Posts
  289
  Views

  J

  Update: I've upgraded to 2.4.3-RELEASE-p1 switched back to IPSec from OpenVPN and haven't experienced the issue ~72hrs and counting.
• A

  RSA ipsec : no private key found...
  • akempiak

  3
  0
  Votes
  3
  Posts
  323
  Views

  A

  Yes you are right, it works now! (in fact, in the meantime, I tried using PSK auth, and same issue with bad identifiers but error messages were more relevant for me). solution for anyone who would have this issue => use altNames values of certificates (get it with "ipsec listcerts" command) in the leftid/rightid strongswan's tunnel parameters. Thanks for your reply.
• R

  key_acqdone / key_delete
  • richie1985

  3
  0
  Votes
  3
  Posts
  139
  Views

  R

  yes site 2 site vpn with ipsec
• B

  IPSEC to CradlePoint...Tunnel Established But No Ping
  • b_levitt

  17
  0
  Votes
  17
  Posts
  440
  Views

  

  Glad you got it working. Thanks for letting us know.
• D

  IPSec VLAN Passthrough
  • DK101

  1
  0
  Votes
  1
  Posts
  116
  Views

  No one has replied

• 

  Can't seem to get pfSense to stay connected to IPCop firewall
  • oklord

  3
  0
  Votes
  3
  Posts
  175
  Views

  

  We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec. Firewall rules on the IPsec tab would be for allowing pings originating from the other side. Be sure you are pinging from something interesting to IPsec, as in from a source address that is in the Local Network portion of a phase 2. You can set a source interface to something like LAN if you're using Diagnostics > Ping.